Summary: The kindles have a "Magic Bullet" that will ALWAYS allow custom code to be installed on them, including anything from just adding a jailbreak key, custom screensaver or custom fonts, all the way up to installing a completely different operating system on them, like Android OS. These tools already exist and we know how to use them. Simple step-by-step instructions will be provided, along with custom partition images that already contain the custom changes that we want.

Conclusion: So, good news all around. Not just for me, but for everybody. Yes?

UPDATE: Because this grew into a book-like "manifesto", I broke it up into chapters and added chapter titles. It is really a topic of its own, so I moved it to a new thread called "Fastboot Manifesto". This also replaced previous posted contents that were evolving into the new content as I reworked it and thought about it more.

My Kindle Touch bricked. Thanks to geekmaster and yifanlu, I'm able to boot into fastboot. I have compiled fastboot on my ArchLinux x64. It seems to be working well. It can recognize my Kindle Touch and do flash. However, when I try to do

Code:

./fastboot flash system mmcblk0p1.img

, it takes only 4 seconds to download and 8 seconds to flash, which is not possible to the 350MB image. As a result, the main partition is broken and not bootable.

However,

Code:

./fastboot erase system

takes half a minute, which is normal.

Could anyone tell me the right procedure to recover the main partition(mmcblk0p1) in fastboot?

My Kindle Touch bricked. Thanks to geekmaster and yifanlu, I'm able to boot into fastboot. I have compiled fastboot on my ArchLinux x64. It seems to be working well. It can recognize my Kindle Touch and do flash. However, when I try to do

Code:

./fastboot flash system mmcblk0p1.img

, it takes only 4 seconds to download and 8 seconds to flash, which is not possible to the 350MB image. As a result, the main partition is broken and not bootable.

However,

Code:

./fastboot erase system

takes half a minute, which is normal.

Could anyone tell me the right procedure to recover the main partition(mmcblk0p1) in fastboot?

Thanks!

I successfully reflashed my K4NT and it worked, using the same command that you showed above. I did not erase it first. Flash does not need erasing like EEROMs do. USB is very fast (up to about 40MB/second, depending on your computer speed), but it still took quite awhile to flash mmcblk0p1. If yours quit in 4 seconds something is wrong. Was that on a Touch?

Thats what I'm waiting for like 4 days
And geekmaster keep saying that its possible and will be possible always.
So I keep believing

BTW: what should happen when Kindle boots in fastboot mode?
Because I can't see anything happen: nothing change on the screen, no new USB device connects..

Fastboot mode does not install a USB device driver. Instead, fastboot programs use direct access to the raw USB port, using usblib or equivalent. Fastboot says "<waiting for device>" while scanning the USB ports looking for a device with VID/PID 0x15a2/0x0052, then when it sees one it does the command passed in on the command line.

Up until now, I have been concentrating on tools that do not need fastboot mode. But now that fastboot is the only tool to repair my kindle touch, which was bricked while testing these other methods, I will now concentrate on getting a fastboot solution put together, including simple patches to create preconfigured partition images from original partition backups.

As reported above, there may be a problem with the flashing images to a Kindle Touch. Let's hope that is a problem with that particular fastboot tool and not with the touch. I successfully flashed partitions on a K4NT using a fastboot that I compiled, but I modified the source code to clean all the warning messages before I used it.

I need it to repair my Touch, so this potential problem will be analyzed (and hopefully corrected) soon.

I successfully reflashed my K4NT and it worked, using the same command that you showed above. I did not erase it first. Flash does not need erasing like EEROMs do. USB is very fast (up to about 40MB/second, depending on your computer speed), but it still took quite awhile to flash mmcblk0p1. If yours quit in 4 seconds something is wrong. Was that on a Touch?

Yes It's a Kindle Touch 3G. The internal flash memory's speed is up to 8MB/s or something like that i guess. It is impossible to take less than half a minute to flash the image.

Yes It's a Kindle Touch 3G. The internal flash memory's speed is up to 8MB/s or something like that i guess. It is impossible to take less than half a minute to flash the image.

Are you sure that it is that slow? Modern flash devices are limited by the communications channel, not by the media. That is why new SSDs (Solid State Disks) use SATA-3, and ordinary USB flash drives now come with USB 3 (much faster than 480Mbps USB 2). I would need to look up the MMC part specs to know how fast it is. It is possible that it is slow because all the ECC error correction, bad block detection, and write wear leveling (if used) is handled in software on the kindles, so the speed limit may be determined by software rather than mmc chip specifications. You can read details about this in the freescale documentation for the iMX50 CPU SoC used in the K4NT and Touch, and in the source code.

P.S. I really need some sleep before I try using fastboot to reflash my touch to repair the damaged /var/local/mntusb.params file. It is a new idea to me to make CHANGES to a partition by flashing an image file that has those changes preinstalled. I think that this is a GOOD idea.

UPDATE: I have a serial port connection on my touch now. When I use fastboot to flash an image file to the system (or other) partition, the serial port shows a message that it flashed mmcblk0 (which contains linux kernels for main and diags). When I try to boot main or diags is says "linux kernel not found", which confirst that mmcblk0 does appear to have been overwritten with the wrong data. That could also explain why if quits with a "success" message much too quickly. For now, I recommend booting to diags and using the dd command in a RUNME.sh script file to write an mmcblk0p1.img file on the USB drive to /dev/mmcblk0p1, as described in later posts in this thread, and in the "Fastboot Manifesto" thread.

P.S. In English, "rubish" means "in the manner of a rube, or rube-like". It can also mean "Rube Goldberg-like" (i.e. overly complex). Rube: http://www.urbandictionary.com/define.php?term=rube - Rube Goldberg: http://www.dictionaryslang.com/Rube%20Goldberg. "Rubbish" (different word) means "garbage", implying grossly incorrect or useless - how can asking questions and stating known facts be considered "garbage"? So, the next post below must be calling somebody a "rube". What's up, ItsMee?

NOTE: This is not that difficult if you are careful. The following warning is not intended to strike fear into the hearts of mere mortals. Go ahead and use it if it will help you repair your bricked kindle. Just do not try things in fastboot or diagnostics that you do not understand, unless you are instructed to use them. For those who may find all the following English text difficult, here are step-by-step pictures showing how to install and use this tool:http://www.mobileread.com/forums/sho....php?p=1972836

CAUTION: Diagnostic mode and fastboot mode give you a lot of power to repair your kindle from otherwise unrepairable conditions, but they also allow you to do things that can make it worse. With great power comes great responsibility, so please be very careful when you are in fastboot mode or in diagnostics mode. When we provide step-by-step instructions, follow them carefully.

The following text describes a little about how to boot your kindle touch or k4nt into recovery mode, and from there to diagnostics or fastboot mode. You can also use this "Select Boot" tool to boot back to the main mode.

I will update this post as I get more tools ready.

Attached are links to the Freescale MfgTool for Windows, needed to download custom code over USB port into kindle RAM memory and run it in the kindle, while in USB Recovery (USB HID / USB Dowload) mode.

After unzipping the MfgTool into a folder of your choice, delete the folders from inside the Profiles folder, and copy the folders from inside the Kindle_bootmode.zip file into Profiles folder inside the MfgTool folder.

To get your kindle touch or k4nt into USB Recovery mode, plug in the USB cable, the press and hold the power switch until the power LED turns off, then press and hold the "Magic Key", then release the power switch, then release the "Magic Key". The "Magic Key" is a special button that is different on each model of kindle, and is used to enter USB Recovery mode.

When your kindle is in USB Recovery mode the first time, Windows will detect new hardware, and it should automatically install USB/HID device drivers. The Windows device drivers and other unused files were removed from the previously posted downloads, to reduce the download size from about 70 MB to 0.5 MB. If your version of Windows does not install USB/HID device drivers automatically, you can request them here.

Then start MfgTool.exe, select a bootmode Profile from the drop-down menu (diags, fastboot, or main), and press the Start button in MfgTool. If all goes well, your kindle should boot into the mode that you selected, where you can repair your kindle.

From diagnostics (diags mode), you can export your USB Drive so that you can add files to it to repair your kindle, such as data.tar.gz and a special RUNME.sh file. If you have a K4NT, you can start SSH, and repair your kindle from a linux command shell. For a touch, I will provide additional tools and instructions. I recommend pushing a "reverse shell" using netcat (nc) to your host PC (similar to SSH), or crafting a special RUNME.sh, to assist.

I will provide additional tools and instructions, but what I have attached is enough for developers to assist you. I have supplied 3 additional methods to get root shell on a kindle to various developers, none of which have been published yet.

If you boot to fastboot mode, you can use yifanlu's kindle fastboot tool to flash the main partition with a copy of mmcblk0p1.

Good luck. So far, I have provided a way that requires familiarity with linux shell commands. Additional tools will be provided soon to simplify this, and minimize the risk.

Again, this will get simpler and safer in the future.

Enjoy!

UPDATE: I have added a universal payload that should work with multiple kindles, if installed at /var/local/system/mntus.params, using whatever method is available for that device. For the K4NT and Touch, I have provided a data.tar.gz that contains my "universal" payload which launches RUNME.sh on the USB drive if it exists and there is not a RUNME.done file. The launcher creates a RUNME.done file before starting RUNME.sh, so that it will only run one time. To activate it so it can run again, delete RUNME.done from the USB Drive.

From the diagnostics menu, active USB Device Mode from the menu. Then copy RUNME.sh (from the zip file) and data.tar.gz onto the kindle USB drive.

This RUNME.sh just displays stuff on the screen to show that it works. Because this can be launched from main or diags mode, the script does not know which partition is root, so to copy files between them (like dropbear SSH) I recommend this:

If you have the USBnetwork (dropbear SSH) files on your touch main partition, you can copy them to diags above. Or if not installed yet, you can extract them using yifanlu's installer, and copy them where they belong on /mnt/main or /mnt/diag.

I was not able to test this version on my Touch, but it should work.

REMINDER: To launch RUNME.sh again, you need to delete RUNME.done from the USB drive.

Please post your results.

Hi, thank you for your great job.

I can enter the USB Recovery Mode, but unfortunately, no matter what u-boot I've downloaded, my Kindle Touch can't boot.

Even when I tried to press it for over 30s, I can't see the green light.

If there any possibility that with the USB Recovery(HID Mode) I can download the whole binary(firmware)?

The LED is not a reliable indicator of battery status on a bricked kindle. It is controlled by SOFTWARE, not by hardware. In fact, the battery charger is also controlled by SOFTWARE, so bricking a kindle can interfere with charging the battery.

We have had excellent recovery success by charging the battery first. Charge the battery with a wall charger for at least two hours, then use MfgTool to change to fastboot mode (which charges better and faster according to serial i/o messages about battery status during fastboot mode). Charge it in fastboot mode AT LEAST two more hours (preferably overnight) then try again. There are three different people I helped who succeeded ONLY after there battery got enough charge. Without enough, you will see strange behavior, like RUNME.sh not finishing, or fastboot not working, or MfgTool starting to download u-boot to the Kindle but never finishing.

So, charge it enough to get into fastboot mode, then charge it some more. There is a good chance you WILL be able to get to diags, from which you CAN repair you kindle using USB drive export and a custom RUNME.sh launched by data.tar.gz, to fix your "custom" problem...

I have my touch connected to a serial port now, and the ONLY serial i/o messages I see during and after booting to fastboot are battery voltage messages, which show a steady quick charge up to 4.190 volts, where it stabilizes (my k4nt stabilizes at 4.171 volts). Now that I have a good battery charge, I will try debricking it again.

I ONLY see these battery messages while in fastboot mode. In other modes they kindle just aborts my repair attempts faster and faster until it is completely dead and cannot be seen by MfgTool. It does NOT charge on USB in main or diags mode unless on a wall charger, and then not very quickly or reliably.

I think that the reason is because fastboot loads the full bist u-boot from mmc (why there are two u-boot sets above), and the larger bist build has better battery charging code in int. Booting to main or diags just uses the little u-boot that was loaded into RAM.

Here is the IRC session (with permission) from another successfully debricked kindle touch:

Code:

14:51 <dasmoover> so i can repair the dead kindle touch?
14:53 <geekmstr> A lot of people did. I provided a "demo" payload, that does
nothing but put something on the display, but my "universal"
mntus.params works on all kindles by computing the values,
even with no payload, fixes kindles that were bricked when
they used a data.tar.gz for a different kindle model.
14:53 <geekmstr> In that thread, cscat added a command to call the
factory_reset script (not included in my download yet),
that unbricked a lot more kindles...
14:54 <geekmstr> My KindleSelectBoot tool (custom u-boot images and
custom MfgTool profiles) lets you boot a bricked kindle to main,
diags, or fastboot with no changes to mmc...
14:55 <dasmoover> link!
14:55 <dasmoover> i need to restore my old ktouch
14:55 <dasmoover> remember the one i bricked?
14:55 <geekmstr> http://www.mobileread.com/forums/showthread.php?t=169645
14:56 <geekmstr> http://www.mobileread.com/forums/showthread.php?t=170241
14:57 <dasmoover> well wheres the tool dude/
14:58 <geekmstr> downloads in first post:
http://www.mobileread.com/forums/showthread.php?t=169645
14:58 <geekmstr> screenshots this post:
http://www.mobileread.com/forums/showthread.php?p=1972836
15:01 <geekmstr> you can write a RUNME.sh to copy all the dropbear files
from main to diags (if you mount them), if you installed yifanlu's
SSH package. Or you could put his .tar.gz on /mnt/mmc and
make RUNME.sh extract it to diags root if you make it writable...
15:02 <geekmstr> With the dropbear files in place, the USBnet diags menu
starts SSH (which takes about 20 secs for dropbear to init before
you can connect). diags menus N) U) Z) then exit to start dropbear...
15:03 <geekmstr> Either use SSH to mount and fix main, or use some custom
RUNME.sh scripts. Later in the thread I posted (in "code" tags)
that dumps a LOT of diags info into /mnt/us/gmlogs.txt (or
something like that)...
15:04 <geekmstr> Anyway, my tools have unbricked a lot of touches lately,
but they work on k4 as well...
15:04 <geekmstr> k4 is easier because booting to diags gives you ssh.
The dropbear files are already on the diags partition...
15:05 <geekmstr> Read the threads....
15:07 <geekmstr> But especially post#4 for screenshots, and bottom of #1
for downloads. And post #11 for the factory reset option...
15:08 <geekmstr> here you can read the code before installing it:
http://www.mobileread.com/forums/showthread.php?p=1978973
15:09 <dasmoover> cant seem to get into the special mode
15:10 <geekmstr> maybe your battery needs charging. use a usb power
adapter for a few hours. The battery completely drains when
bricked...
15:11 <geekmstr> you need to charge it enough (maybe overnight) to boot to
fastboot mode. In fastboot it charges quickly...
15:11 <dasmoover> ah
15:12 <dasmoover> yeah
15:12 <dasmoover> dead battery icon
15:12 <dasmoover> lol
15:12 <geekmstr> Anyway, try this: Plug into computer USB. Press and hold
power until LED off. Press Home button. Release power. Release
Home. New device with VID/PID 0x15a2/0x0052. Windows USB
HID drivers should install automagically... Then run MfgTool,
which talks to it...
15:13 <geekmstr> Charge it two or 3 hrs, then go to fastboot and fast-charge
it another hour...
15:13 <geekmstr> bricked only charges EXTREMELY slowly and only with a
power adapter...
15:13 <geekmstr> fastboot charges rapidly.
15:14 <geekmstr> Got it?
15:19 <dasmoover> jst gonna charge it a bit
15:22 <geekmstr> My "diags" RUNME.sh is here:
http://mobileread.com/forums/showthread.php?p=1979042
15:24 <dasmoover> beautiful man very good shit here
15:24 <geekmstr> thanks.
15:25 <geekmstr> I post all the steps of the evolution of my learning, in
stream-of-consciousness format, in hopes that others will learn
to learn like I do...
15:26 <geekmstr> Not just the end result, but the PROCESS of getting there
is what is the REAL goldmine...
15:26 <geekmstr> IMHO
15:28 <geekmstr> Of course my epiphany was obvious to people who
came from the android community, but it was new to me...
15:31 <geekmstr> Much of what I learned came from the GPL source code
and the freescale iMX50 Reference (and other) Manuals, and
using the tools you can download at freescale.com
15:33 <geekmstr> And from sbloader code for RockBox and other linux project
that use sbloader, and from yifanlu's fastboot tool (I cleaned the
source code so no warnings with gcc -Wall and -Wextra).
15:34 <dasmoover> awh yeah i'm in diags
15:35 <geekmstr> warning: I successfully flashed images to my k4, but others
say fastboot image flashing on touch reports "success" way to soon
and cannot have worked...
15:36 <geekmstr> Do not erase main system or diags with fastboot. Some dude
in my thread says he erased his before trying to flash it. It is not
eeprom, so why erase flash when you are going to completely fill
that range anyway?
15:36 <dasmoover> okay so i have usb mounted
15:36 <dasmoover> i remember
15:36 <dasmoover> i broke i by loading tun.ko
15:37 <dasmoover> so i'vw got to chang /lib
15:37 <dasmoover> i need to restore /lib
15:37 <geekmstr> in low power mode it loads a 0-byte fake storage device to
keep host PC "green" crap from turning off USB power...
15:38 <geekmstr> In the source code it is called "fstor" mode (fake storage).
It is part of the battery charging process...
15:39 <geekmstr> That is a problem with running scripts from mntus.params,
because "fdisk -l" can return bad values from the fstor device...
15:39 <dasmoover> so i need to create a data.tar.gz with original /lib
15:40 <geekmstr> do not use data.tar.gz -- root partition may not be
writeable. boot diags. export USB. Add MY data.tar.gz to launch
your RUNME.sh at next reboot to diags.
15:41 <dasmoover> okay
15:41 <geekmstr> Put your stuff in a .tar.gz, and have RUNME do "mount
/dev/mmcblk0p1 /mnt/mmc" then extract your package there...
15:42 <dasmoover> so no fastboot?
15:42 <geekmstr> Or --- make a runme and ssh.tar.gz and extract those
dropbear files to diags, so menu N) U) Z) X) will start dropbear.
15:43 <geekmstr> MfgTool with my profiles does NOT need fastboot (except
to recharge the battery).
15:44 <dasmoover> okay so i have /lib in .zip
15:44 <geekmstr> In my case, I did a BAD mntus.params that bricks main
and diags. If fastboot could erase mmcblk0p3 that would fix it, but its
partition names do not indicate which partition, and I already erased
the safe ones.
15:44 <dasmoover> on root
15:44 <dasmoover> usb
15:44 <geekmstr> I can ONLY use fastboot in my case. But you can boot to
diags to export usb drive.
15:44 <dasmoover> yeah
15:44 <dasmoover> i have lib.zip on usb
15:45 <dasmoover> now write a script to mount root and extract?
15:45 <geekmstr> yes...
15:45 <dasmoover> mount /dev/mmcblk0p1 /mnt/mmc
15:46 <dasmoover> unzip /mnt/us/lib.tar /mnt/mmc/
15:46 <dasmoover> does kindle have unzip?
15:46 <geekmstr> you can model it after scripts in my thread. Use the logger
one that pipes ALL output ( all code here ) 2>&1 >>/mnt/us/gmlogs.txt
15:47 <geekmstr> I believe it has unzip. It runs from startup scripts and they
use full path. You could add PATH= at top of script...
15:47 <geekmstr> then do not need full prefix path on all commands like
startup scripts use.
15:48 <geekmstr> mntusb is sourced, and kindle bricks easily from it, so
just use my published on in my data.tar.gz. Look at it though. Good
learning there...
15:48 <dasmoover> okay so now how to run?
15:48 <dasmoover> just rebboot?
15:48 <geekmstr> I like code to fit one screen full. Old school. My scripts
are compact.
15:49 <geekmstr> reboot from menu. Hard reset often does not run payload...
15:49 <dasmoover> D?
15:49 <geekmstr> in diags. reboot from menu.
15:50 <geekmstr> first menu item has a reboot in it. easier than the reboot
buried in the bottom exit menu...
15:50 <geekmstr> touch the first menu item in main screen, then restart there...
15:51 <dasmoover> its restarting
15:51 <geekmstr> I did not publish that yet. I will do screenshots of all the
steps later...
15:51 <dasmoover> still amazon thing
15:51 <dasmoover> happen to have ssh package handy
15:52 <geekmstr> You may need to add a reset for the boot counter if "repair
needed" screen. see the thread. SSH was already installed in main
using yifanlus package. I just copied from main to diags.
15:53 <dasmoover> is that info there
15:54 <geekmstr> https://github.com/downloads/yifanlu/KindleTool/simple_usbnet_1.1.zip
16:13 <dasmoover> how to write back img file in fastboot?
16:13 <dasmoover> i have .img file
16:13 <geekmstr> dd if=/mnt/us/mmcblk0p1.img of=/dev/mmcblk0p1 bs=1024
16:14 <geekmstr> That is probably in 100 posts in the forums. Basic linux.
16:20 <dasmoover> just rebooted.. waiting to see result
16:20 <dasmoover> dunno it still seems bricked
16:20 <dasmoover> i didnt use fastboot
16:20 <dasmoover> i used diags
16:20 <dasmoover> but i wanted to know fastboot
16:21 <dasmoover> i mean i just replaced pl01 and its still not booting up
16:21 <dasmoover> dunno what else could have corrupted
16:22 <geekmstr> did you boot diags (either with ENABLE_DIAGS or with my
boot tool) before writing your p1 image?)
16:22 <dasmoover> boot tool
16:22 <dasmoover> boot tool all times
16:23 <dasmoover> well f--- it wont go into diags now
16:23 <geekmstr> Each reboot goes back to whatever the bootmode var was.
If bootmode = main and no ENABLE_DIAGS, exting diags booted
to main before running payload.
16:23 <geekmstr> Maybe you need to charge the battery more...
16:24 <geekmstr> charge in fastboot mode.
16:24 <geekmstr> next time in diags, add ENABLE_DIAGS with the payload,
before rebooting.
16:25 <geekmstr> Or... do a hard reset with magic key to use my tool.
16:25 <dasmoover> says
16:25 <dasmoover> runmme.done
16:25 <dasmoover> and runme.out
16:25 <dasmoover> so it mustve run
16:25 <geekmstr> It ran from main. writing an image with files open corrupts it.
16:25 <geekmstr> Do it again with ENABLE_DIAGS.
16:26 <geekmstr> And you are using a low battery, so complications there too...
16:26 <dasmoover> so ENABLE_DIAGS on root righ
16:26 <geekmstr> Erase RUNEM.done first or script does not run.
16:26 <geekmstr> ENABLE_DIAGS on usb drive.
16:27 <dasmoover> yah did thatrebooting now
16:27 <geekmstr> Need to update first post. Info in later posts says add
ENABLE_DIAGS and erase RUNME.done and add data.tar.gz
while exporting USB drive in diags.
16:27 <dasmoover> ywah i did all that
16:28 <geekmstr> data.tar.gz erases itself. RUNME.done disables the script.
16:28 <dasmoover> so when its done writing it should boot to diags/
16:29 <geekmstr> It runs ONESHOT mode so a bug does not brick the kindle.
You do NOT need a new data.tar.gz each time -- only if the payload in
/var/local gets deleted (factory restore).
16:30 <geekmstr> The kindle rebuilds /var/local if you dd /dev/zero to
/dev/mmcblk0p3
16:30 <dasmoover> yah i'm wrrwring p1
16:30 <geekmstr> you have ENABLE_DIAGS so it should boot to diags.
16:31 <geekmstr> You may have problems if your battery is too low...
16:31 <dasmoover> its plugged i tho
16:32 <dasmoover> its jut doing the tree stuff
16:32 <geekmstr> It takes a long time to write a 350MB image. If battery low
it will reboot before it completes.
16:32 <geekmstr> Others reported success only after a full recharge in
fastboot mode.
16:34 <geekmstr> You can run the factory_restore script. If you kill
mmcblk0p3 it will rebuild on reboot. If you kill mmcblk0p4 it will
rebuild on reboot. At least that is what the startup scripts say.
16:35 <geekmstr> If it cannot mount p3 or p4 it formats them and copies files
there from /opt
16:38 <geekmstr> It sits at the tree while copying p1.
16:39 <geekmstr> You can use eips to display text on the kindle tree screen.
See my sample RUNME.sh on the first post.
16:39 <geekmstr> You can display progress messages on eink while it runs.
16:40 <geekmstr> But during the dd you can only wait.
16:41 <geekmstr> It can take like 15 minutes or something to copy. Low battery
is a big problem. Not charging during payload. Only draining the
battery (and faster while writing flash).
16:41 <geekmstr> If no luck, charge overnight, and read the thread while it charges...
16:42 <geekmstr> Adding usbnet from the link I posted above allows SSH
from diags and interactive exporation and repair.
17:26 <dasmoover> it is just frozen still
17:26 <dasmoover> unplugged it from computer
17:26 <dasmoover> led died
17:26 <dasmoover> then plugged it into wall
17:26 <dasmoover> waiting now
17:26 <dasmoover> guessing it ran, died
17:27 <dasmoover> so waiting on full charge
17:27 <dasmoover> can get to diags no problem
18:04 <dasmoover> i have all p*
18:30 <dasmoover> all the image blocks
18:31 <dasmoover> anyways i want to use fastboot...
18:31 <geekmstr> You could have mounted it and deleted that tun.ko file and
fixed any script that started it...
18:33 <dasmoover> i f---ed with /lib
18:51 <geekmstr> I had to install libusb-1.0 with apt-get (needed for compile).
18:52 <geekmstr> So you really only need the binary, but I will send all...
18:53 <dasmoover> installed libusb-1.0
18:54 <geekmstr> need to run fastboot with "sudo ./fastboot" or it runs but
only partly works. Usb writing needs sudo...
18:54 <dasmoover> rgr
19:01 <dasmoover> so what command to compile
19:01 <geekmstr> make
19:01 <geekmstr> or make -j5 on a quadcore...
19:02 <dasmoover> gcc -ofastboot fastboot.o protocol.o engine.o
usb_linux.o&&strip fastboot&&upx fastboot>/dev/null
19:02 <dasmoover> /bin/sh: upx: not found
19:02 <dasmoover> make: *** [fastboot] Error 127
19:02 <dasmoover> mb, g
19:02 <dasmoover> nvm fixed
19:02 <geekmstr> I compress my exes with upx. either install upx, or remove
that step from makefile
19:02 <dasmoover> yay it works
19:02 <dasmoover> plugging in kindle now
19:02 <dasmoover> err
19:02 <dasmoover> booting fastboot mode
19:03 <dasmoover> then unplugging and jacking into my linux machine
19:03 <geekmstr> sudo ./fastboot getvar bootmode
19:03 <dasmoover> do i set it via mfg or this tool
19:03 <geekmstr> you can read or write all idme vars with fastboot
19:03 <geekmstr> to get to fastboot mode, need mfgtool.
19:03 <dasmoover> okay
19:03 <dasmoover> brb setting it in
19:04 <geekmstr> In fastboot mode, fastboot tool will see it.
19:04 <geekmstr> usb in, power press, led off, home press, power release.
19:04 <dasmoover> okay sent to fastboot
19:04 <dasmoover> can i unplugand plug into linux now
19:05 <dasmoover> i got fastboot woking
19:05 <geekmstr> try sudo ./fastboot getvar bootmode
19:06 <dasmoover> its running down a bunch of stuff
19:06 <geekmstr> It is normal for "check main" or whatever to fail. The flash
CRC is set at first flash, but mounting a partition from mmc changes
it to not match flash header crc.
19:06 <dasmoover> so now what
19:10 <dasmoover> thats all the command sees
19:10 <geekmstr> But vid/pid is for a different usb device
19:10 <dasmoover> ill unplug em ll
19:10 <dasmoover> ill unplug em all
19:10 <geekmstr> leave kindle plugged in. Put it in USB HID mode. Tell
MfgTool to use fastboot profile. Click start.
19:10 <dasmoover> thats what i did
19:10 <geekmstr> Other devices do not matter.
19:10 <dasmoover> then i unplugged it and put it on my linux box
19:10 <dasmoover> now we are here
19:11 <geekmstr> Did you do sudo?
19:11 <dasmoover> trying to use fastboot
19:11 <dasmoover> yes..
19:11 <geekmstr> It cannot send commands unless root.
19:11 <geekmstr> It must see vendor 0x1949,product 0xd0d0
19:12 <geekmstr> dev(vendor:0x1949,product:0xd0d0,...
19:13 <dasmoover> it still shows same values when kindle is not plugged in
19:13 <geekmstr> The kindle SHOULD go into fastboot mode if you tool can
write usb (needs to be root for usb write access)
19:13 <dasmoover> just sent into fastboot via mfg..
19:14 <dasmoover> unplugging and putting onto linux box now
19:14 <geekmstr> 0x1948 belongs to lab126.
19:14 <dasmoover> LED died on unplug
19:14 <geekmstr> Do not unplug.
19:14 <dasmoover> dude i have to
19:14 <dasmoover> in order to put my windows machine
19:14 <dasmoover> with mfg
19:14 <dasmoover> tolinux box
19:15 <dasmoover> with fastboot
19:15 <dasmoover> how2set fastboot mode in linux then
19:16 <geekmstr> Yifanlu said that the "install fastboot bundle" item in diags
sets fastboot mode. Did not try that myself...
19:16 <dasmoover> ill try to do that
19:16 <geekmstr> mfgtool boot diags. fastboot bundle while plugged into linux
and fastboot running.
19:23 <dasmoover> got it in fastboot mode
19:24 <geekmstr> try sudo ./fastboot getvar bootmode
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:25 <dasmoover> bootmode: fastboot
19:25 <dasmoover> dev(vendor:0x1949,product:0xd0d0,class:0,subclass:0,
protocol:0),writable:1,ifc(class:255,subclass:66,protocol:3),
has_bulk(in:1,out:1),serial_number:0061XXXXXXXXXXXX
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> bootmode: fastboot
19:26 <dasmoover> finished. total time: 0.001s
19:26 <dasmoover> sudo ./fastboot flash system mmcblk0p1.img
19:26 <dasmoover> right
19:26 <geekmstr> that looks good.
19:26 <geekmstr> flash should take many minutes
19:26 <dasmoover> downloading 'system'...
19:26 <dasmoover> OKAY [ 3.764s]
19:26 <dasmoover> writing 'system'...
19:26 <geekmstr> a user on mobileread said it completes in 4 seconds.
Too fast...
19:26 <dasmoover> writing 'system'...
19:26 <dasmoover> OKAY [ 8.991s]
19:26 <dasmoover> finished. total time: 12.756s
19:26 <dasmoover> uhhh
19:27 <geekmstr> It took many minutes on my k4nt...
19:27 <dasmoover> should i erase then put back on? or test first
19:27 <geekmstr> maybe the touch has a fastboot bug?
19:27 <geekmstr> NO do not erase.
19:27 <geekmstr> Flash memory does not need that.
19:27 <geekmstr> that will make it worse.
19:28 <dasmoover> okay
19:28 <dasmoover> guess a reboot
19:28 <geekmstr> You could still to dd to write it from a RUNME.sh instead
of fastboot.
19:28 <dasmoover> or another flash
19:28 <geekmstr> apparently touch fastboot does not flash good, with false
success report.
19:28 <geekmstr> It cannot be that fast.
19:29 <geekmstr> USB is not that fast.
19:29 <geekmstr> I think it is a bug
19:29 <geekmstr> do this:
19:29 <geekmstr> sudo ./fastboot setvar bootmode diags
19:30 <geekmstr> that will boot to diags next time you boot. If not, boot there
with MfgTool.
19:30 <dasmoover> okay how2reboot
19:31 <geekmstr> hold power button 20 seconds.
19:31 <geekmstr> the fastboot reboot command does not work.
19:31 <geekmstr> You can repair it with RUNME.sh. fastboot is buggy on
the touch...
19:32 <dasmoover> ive tried runme.sh
19:32 <dasmoover> it has not worked for me writing the .img
19:32 <geekmstr> You booted main that time...
19:32 <dasmoover> okay will retry
19:32 <dasmoover> have usb up
19:33 <geekmstr> boot diags, export usb, add ENABLE_DIAGS and remove
RUNME.done. reboot. payload will run in diags this time...
19:33 <dasmoover> do i need to redrop data.tar.gz no right?
19:33 <geekmstr> You did not have ENABLE_DIAGS last time. It ran in main...
19:33 <geekmstr> No tar file needed. already dropped expoit that runs
RUNME.sh...
19:34 <dasmoover> okay
19:34 <dasmoover> hard reboot?
19:34 <geekmstr> yes.
19:34 <geekmstr> I think I should change my payload to detect main, set
bootmode=diags, and reboot...
19:34 <geekmstr> and only call RUNME.sh when in diags boot.
19:35 <geekmstr> writing to the partition you booted from will corrupt it...
19:35 <dasmoover> okay hard rebooting wall plugged in
19:32 <dasmoover> fixed :)
20:32 <dasmoover> thank you very much

I posted this IRC session here (with permission), during which a bricked kindle was explored and successful restored to full operation, in hopes that others can learn from it to help them debrick their kindle touch (or k4nt).

As this and other posts show, it is not a good idea to erase or flash partitions with fastboot for touch yet, even though it worked well for my k4nt. But you can flash partitions with the "dd" command just fine.

Be sure to boot diags to flash main from RUNME.sh, and boot main to flash diags from RUNME.sh. It is not good to change a partition that contains open files because you booted from it. Also be sure to have ENABLE_DIAGS set accordingly, because you need to reboot to run the RUNME.sh. It has been reported in various threads that RUNME.sh does not reliably run during a hard reset (long power button hold) so be sure to reboot using a menu item.

Good luck, and good learning! This is not easy (yet). I want a GUI that lets you choose what steps you want to do, and which makes a custom RUNME.sh for you. I want a GUI that runs fastboot for you, and avoids all the command-line stuff, and runs in Windows and Linux and Mac. Now, who is going to write that for me... EDIT: It seems that ixtab wrote that "GUI" for me (Kubrick)!

P.S. I want to thank yifanlu who helped me learn this stuff by guiding me through an IRC recovery session similar to the one shown above, but which was spread over a period of about one week, interrupted by studying manuals and code, which helped me debrick my k4nt, when we were first learning about what USB Downloader mode was and how we could use it. I also want to thank all the others who provided feedback and useful pointers that contributed to my learning as much as I have (so far) about this stuff. Thanks guys (and ladies)!Downloads: See the "simple debricking" sticky.

The LED is not a reliable indicator of battery status on a bricked kindle. It is controlled by SOFTWARE, not by hardware. In fact, the battery charger is also controlled by SOFTWARE, so bricking a kindle can interfere with charging the battery.

We have had excellent recovery success by charging the battery first. Charge the battery with a wall charger for at least two hours, then use MfgTool to change to fastboot mode (which charges better and faster according to serial i/o messages about battery status during fastboot mode). Charge it in fastboot mode AT LEAST two more hours (preferably overnight) then try again. There are three different people I helped who succeeded ONLY after there battery got enough charge. Without enough, you will see strange behavior, like RUNME.sh not finishing, or fastboot not working, or MfgTool starting to download u-boot to the Kindle but never finishing.

So, charge it enough to get into fastboot mode, then charge it some more. There is a good change you WILL be able to get to diags, from which you CAN repair you kindle using USB drive export and a custom RUNME.sh launched by data.tar.gz, to fix your "custom" problem...

I have my touch connected to a serial port now, and the ONLY serial i/o messages I see during and after booting to fastboot are battery voltage messages, which show a steady quick charge up to 4.190 volts, where it stabilizes (my k4nt stabilizes at 4.171 volts). Now that I have a good battery charge, I will try debricking it again.

I ONLY see these battery messages while in fastboot mode. In other modes they kindle just aborts my repair attempts faster and faster until it is completely dead and cannot be seen by MfgTool. It does NOT charge on USB in main or diags mode unless on a wall charger, and then not very quickly or reliably.

I think that the reason is because fastboot loads the full bist u-boot from mmc (why there are two u-boot sets above), and the larger bist build has better battery charging code in int. Booting to main or diags just uses the little u-boot that was loaded into RAM.

geekmaster, thank you so much for your detailed replied, as you mentioned if the battery is low, the behavior will be strange.

Actually, that's exactly the problem I've met: MfgTool starting to download u-boot to the Kindle but never finishing, the issues is, the MfgTool shows it downloaded successfully, but the start/stop button is still in red, which is not a normal finish I assume.

And also, I tried to charge the battery by a wall charger, however, the orange light will on, and last for 3~4 hours, it will go dim(no lights any more), I've done that like three to four times. I think the charging didn't work out, right?

Another quick question is, is there any download link for the whole Kindle Touch binary image in case my FLASH(or partition) is corrupted?

geekmaster, thank you so much for your detailed replied, as you mentioned if the battery is low, the behavior will be strange.

Actually, that's exactly the problem I've met: MfgTool starting to download u-boot to the Kindle but never finishing, the issues is, the MfgTool shows it downloaded successfully, but the start/stop button is still in red, which is not a normal finish I assume.

And also, I tried to charge the battery by a wall charger, however, the orange light will on, and last for 3~4 hours, it will go dim(no lights any more), I've done that like three to four times. I think the charging didn't work out, right?

Another quick question is, is there any download link for the whole Kindle Touch binary image in case my FLASH(or partition) is corrupted?

Thank you so so so much for your help.

Kindles can get bricked in different ways. Charging them could depend on how they are bricked.

When I bricked my old K4NT I did not know how to charge it and nothing seemed to work enough. Charging overnight got me only about 20 to 30 minutes in which I could load u-boot with MfgTool, then it would not work again. I would have to charge it with a wall charger overnight before it would work with MfgTool again. I ended up charging the old K4NT battery using the new K4NT without removing either battery (they are glued in with a very secure glue). I was able to position the two kindles back to back and get the battery cable connected between them using needle-nosed pliers, after folding the cable back at a 45-degree angle. I later discovered that I could get a full charge in fastboot mode so this risky procedure would not have been necessary.

Conclusion: charge enough to get into fastboot mode, then fully charge it in fastboot mode. You can monitor the charging process with a serial port connection. As mentioned before, the LED is software-controlled and cannot be trusted on a bricked kindle.

Regarding the complete touch backup image, I have used "dd" to copy the first 32MB of mmcblk0p1 (which contains the linux kernels for man and diags), but it has long stretches of 0x00 in it. According to yifanlu, it appears that parts of this memory are "write-only" to user-land processes such as the dd command I used. It was reported that the idme command we use to read and write idme vars (serial, pcbsn, mac, mfg, accel, bootmode, postmode) writes directly to those locations, but reads a /proc (kernel driver interface) to get those values from a kernel-mode process that reads them.

That means that some areas of our mmc are not readable by "dd", so a full backup would not contain all the data (all those 0x00 in my backup?). But it looks like we may be able to WRITE an image though, which could possibly write bad data onto good data in those protected areas if we use dd to write an image that was created with dd.

What we really need is a kernel-mode process to read and write mmc (similar to idme, but which can give us a full backup of protected areas of mmc and not just the idme vars). A tool such as this may be considered a security risk by amazon (a hack tool) because those areas were not protected by accident and may contain information that would help people do bad things (like decrypt protected books purchased from amazon). We want this tool for good, and people already know how to do the bad things without this, so I hope amazon would not give us trouble for creating or using such a tool.

I think we can get a full backup of all of the mmc contents now (including protected areas) by exporting it over the serial port. There were early reports of this being done on the forums during the early analysis of the Touch, when a jailbreak method was being researched.

We can normally flash (write) to mmc using tools such as MfgTool or fastboot. Unfortunately, there appears to be a fastboot bug in the touch, where flashing other partitions writes onto mmcblk0 instead of where it belongs, and terminates early with a false "success" report. That means that my touch mmcblk0p1 may be corrupted now, and the serial port verifies that when I try to boot main or diags, when I get a "linux kernel not found" error message in the serial port status messages.

So what I need to explore this further is a copy of mmcblk0 (at least the first 32MB) from somebody who exported it from a good kindle touch using the serial port. I want to fix fastboot so that it works correctly. In the mean time, USB Downloader mode has most of the same functionality as fastboot, so perhaps we can flash the touch partitions using MfgTool (with different profiles) instead of fastboot. We can use fastboot after it gets repaired.